I’m curious what’s the best practice regarding using multiple 2FA methods with Bitwarden.
Should you disable “less secure” methods an authenticator app when you have also setup FIDO2 WebAuthn?
For example, I’ve associated three FIDO2 passkeys (two YubiKeys and an Apple TouchID/FaceID) with my Bitwarden account and also stored the printed out 2FA recovery code away at home. Should I go ahead and disable the authenticator app option in Bitwarden and thus force the use of FIDO2 as a second factor?
I mainly use Fido2 keys as indicator. But also got TOTP codes activated, only because I have a device that don’t support Fido2, that i sometimes use. That way I don’t have to reset the 2FA that is activated to gain access.
Also if I by any chance somehow should be unfortunate that my renewal of premium isn’t working I won’t be without any 2FA option. As all premium 2FA options is removed when you’re not premium anymore.
TOTP authentication is vulnerable to phishing and man-in-the-middle attacks.
@tomillr is correct. Your 2FA is only as strong as your weakest factor. Best practice would be to disable all 2FA methods except for FIDO2/WebAuthn, and to keep a copy of the 2FA recovery code safely stored (in addition, registering at least one extra key as a backup would be a good idea).
The one possible exception is if you need to use Bitwarden on the Desktop app in macOS or Linux, or if you otherwise have devices/client apps on which your FIDO2 passkeys do not work.
You have outlined a good plan. You have multiple types of WebAuthn (Yubikeys and FaceID) and multiple instances of it. You also have printed your 2FA recovery code. So, you have good redundancy. You should be safe now deleting your TOTP codes. Just be aware that you can’t sign into all Bitwarden products with WebAuthn, such as their desktop app. I would also backup your vault with an encrypted json file with the personal password option and store it somewhere safely.
Your objection to the third link notwithstanding, did you read any of the articles and the linked resources?
Are you claiming that Man-In-The-Middle attacks, Social Engineering attacks, Brute Force attacks, or clock-based attacks are not possible?
The articles I cited represent only a few examples of the ones that surfaced when doing a Google search for TOTP vulnerabilities — I just wanted to illustrate the variety of plausible attack vectors against TOTP; my goal was not provide authoritative references for attacks that have been documented in the wild. Perhaps some of the following resources are more credible/creditable to you: